TL;DR: a member of the Cardinals' staff left for the Astros a few years ago. Both teams had an internal system to track recruiting efforts etc. He used the SAME password in the new org, the Astros. Someone from the Cardinals org checked his master password list and was able to enter the Astros system with his old creds
>Last year, some of the information was posted anonymously online, according to an article on Deadspin. Among the details that were exposed were trade discussions that the Astros had with other teams... Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in.
And the only way they were caught was because they likely leaked some of the information they found to Deadspin. I remember at the time of the original Astro's leak, it was very interesting what specifically was leaked. It was not anything that could damage the Astros from either a legal, financial, or competitive standpoint. It only served as an embarrassment to the front office, almost as if the specific information leaked was meant as petty revenge while trying to walk a line by abiding by a certain competitive and moral code.
It's more likely that the Cards had a Excel file "Master_Passwords.xls" (or similar) with all his department's passwords listed in it on a shared department folder. No encryption, hashing, etc. Maybe they used Excel password protection on the file.
Just a hunch, but I've seen it many times at past employers.
Or something like KeePass or similar, it can be nice to know people's information in case they leave (I'm not advocating insecure practices), though an excel sheet or post it seems as likely.
It's a no-no when the provider has a duty to the user, such as when the user is a paying customer. It's probably OK when the provider is the employer and the user is merely an employee? I say this because employers regularly do much worse stuff, like running MitM proxies that log bank passwords...
No. Every action on a network must be directly attributable to exactly one real person. Every person should have permissions to the data/systems they need under their own account. If that includes subordinates' email inboxes and home directories, so be it.
In some cases it may be necessary to see the application from another user's perspective. In this case you build a function analogous to "sudo -i -u user" which lets the privileged employee use his own account to get a session under another user's account, while generating an audit trail.
However this is usually not the right answer. Google Apps does not provide an "impersonate" function, but API endpoints which let you dump all mail to your own archiving system (where your company can search it for investigations, legal discovery, etc.) This is more efficient anyway, and doesn't require the disclosure of user passwords.
You can also do this crudely by resetting the password in the database, gathering whatever you need to, and then changing the password back by replacing the old hash directly in the database. Then at least the impersonation is evident in your MySQL logs.
If there is an Excel sheet of passwords shared among managers, and someone does something nasty from an account whose password is on that sheet, good luck figuring out whether the perpetrator is the account owner, one of the n managers with access to the passwords list, or someone else entirely.
Context independent, having a store of usernames/ids/emails and plaintext passwords is Bad because it can be cross referenced with a store that actually matters.
Well had they deleted the password and someone still accessed the network without authorization and the FBI investigated the situation (much like they are now) then the Cardinals could have been charged with obstruction of justice under the SOX act Section 802.
This is shocking, I followed this closely last year as I am a die-hard Astros fan but never thought it would be another team. I definitely doubt the Cardinals endorsed this, it was just some dudes that had access. These guys will be fired (if they haven't already) and there will be fines. Nothing too crazy will happen.
Though if the FBI finds that the GM/high level execs knew about the activity... this will be unprecedented. The penalties would be staggering as MLB would want to crack down extremely hard to deter future bad behavior.
Really interested to see how Bud Selig responds to this. Looks like this is the same guy (Luhnow) who SI did a pretty good thing last year about, reference how the Astros were doing a Ctrl+Alt+Dlt[1].
The cynical side of me says that Selig and MLB will try to maybe milk this for some rating or something, considering the meme going around that baseball is dying.
(full disclosure, Twins fan here, so I'm gonna be cynical about anything that Selig does)
Why is it so unbelievable that another team did it? The Patriots have been caught many times engaging in shady activities, including outright spying once. If a football team can do it to another football team, it's conceivable a baseball team can spy on another baseball team too.
The Patriots filmed the Jets' sideline during an actual NFL game that was happening in front of like 80,000 people. It isn't even illegal to film opposing coaches on their sideline, you just can't do it from your own sideline[1]. That's what Spygate was. Is that really spying? Is it outright spying?
Filming sidelines was all they were punished for. But they almost certainly were filming opponents' practices, including the St. Lous Rams' "walkthrough practice prior to Super Bowl XXXVI"[1].
I'm a Bengals fan, so I don't know why I feel the need to constantly defend the Patriots, but let's do it.
> almost certainly
From the Wikipedia article you linked:
- "[The NFL] found no evidence to substantiate the Super Bowl XXXVI allegations or any other transgressions beside those the NFL had already penalized the Patriots for."
- "NFL investigators found practical limitations to the allegation; the Patriots' video equipment that was set up the day before the game had neither battery packs nor a nearby power supply in order to run." In other words, filming the walkthrough was not plausible on a technical level.
- "The Boston Herald [who initially published the story based on an anonymous source] published an apology to the Patriots and their fans for publishing the February 2, 2008, story ... alleging the Patriots had taped the Rams' walkthrough prior to Super Bowl XXXVI. ... They wrote, they should not have published the story, which they deemed to be false."
I'll be honest, I didn't even know about this aspect of Spygate before reading the Wikipedia article, but it seems like the allegation was investigated, the NFL found nothing, and the Boston Herald apologized for a story that was seemingly without merit. Where are you getting "almost certainly"?
It's not illegal, but it was a violation of NFL rules. They sent out a memo to all coaches telling them to stop, but the Patriots continued. They were then fined for "use of equipment to videotape an opposing team’s offensive or defensive signals."
I mean, I agree. Spygate was a violation and they got fined. That seems pretty clear cut and I don't have a problem with it.
I'm just taking issue with the guy calling it "outright spying" which is a pretty exaggerated characterization when you're filming what a coach is doing in front of 50,000 people. If that's spying, then I spy on NFL games pretty regularly.
"Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said."
"Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office."
It'll be very interesting to see how the Commissioner's Office responds to the FBI's findings. While I don't believe espionage is new to MLB, this is the first case of it reaching the public (and federal government) that I can think of.
Since they're no longer in the same division as the Astros, it's a bit less of a penalty, but I'd say every game since the initial breach against the Astros should be forfeited. Additionally, any draft picks during that time should be awarded to the Astros. (not the actual players, but that means they owe the Astros N first round picks, etc)
Probably not going to go down like that, but it's a matter of punishment, as well as compensating the team that was the victim. (I'm from Houston, so probably biased)
It's lucky for them that Bill DeWitt Jr. chaired the search committee who hired the new commissioner. (Shades of Goldman Sachs' perennial association with the Treasury Department...)
However, if the Cardinals are as smart (and perhaps as ethical?) as they previously seemed, they'll get out in front of this, and voluntarily give up their 2013 pennant, as well as fire whoever was involved in this harebrained scheme.
I'm a Cardinals fan, I admit it, but that's basically an insane suggestion. It's not going to happen and it's not smart. Why in the world do you think that would be smart?
For one thing, they've got a better team this year, and it's possible they'll be forced to skip the playoffs this year. Then they don't get to sell those tickets, they don't get that chance at a World Series, etc.
Give up a 2013 pennant? Let me guess, you're a Dodgers fan.
Until there are details on what was done and by whom the Cards should do nothing more than fully cooperate with the investigation. Then and only then should the Cards and MLB decide how to respond.
Haha as might be clear from my myriad other posts on this topic, inasmuch as I am a fan of anything baseball-related, I am a Cardinals fan, as generations of my family have been. Because I've lived in Los Angeles, I have especially enjoyed their regular poundings of the Dodgers. I'm not saying that the Dodgers should get the pennant by default. (Would they even want it?) Rather, it should simply not exist.
Fanhood notwithstanding, this is really bad. Unless the FBI finds that someone planted a device on the network of the house that originated the ill-advised logins, someone has to burn for this. (I guarantee that Mike Matheny feels the same way.) It's not quite at the level of Pete Rose (who really ought to be forgiven by now) or the Black Sox, but like those cases it completely undermines the integrity of the sport. I used to be impressed by the Cardinals' great farm system, and I felt it indicated something about Midwestern thrift, practicality, and eccentricity. I don't feel that way anymore.
I used to be impressed by the Cardinals' great farm system, and I felt it indicated something about Midwestern thrift, practicality, and eccentricity. I don't feel that way anymore.
Well, ironically, that system was built by Luhnow, so I think you're allowed to continue feeling that way :)
"The attack represents the first known case of corporate espionage in which a professional sports team has hacked the network of another team."
Im pretty sure that in F1 one team hacked another for design details. That said, I cant find a source. IIRC, it was Renault hacking Ferrari, but Im not sure.
> Could someone please get the NYT to drop the paywall on hackernews links?
Use self-destructing cookies or a plugin like it to delete the cookie everytime you close the tab and you won't run into the NYT paywall.
Alternatively, you could use a plugin like refcontrol and set your referrer on NYT as news.google.com and be in the clear if you like hanging on to cookies for some strange reason.
That's a really good idea. Are there any NYT folks here? Is there a procedure in place for doing this sort of thing? I imagine that news.ycombinator.com is a more common Referer than news.google.com in the development community; it'd be nice to have the same treatment from media organizations.
> I imagine that news.ycombinator.com is a more common Referer than news.google.com in the development community
I wouldn't be so sure of that; considering my own pattern, even when my reading is being driven by HN, I usually do several google searches for related content, including frequently Google News searches for related news items from other sources, for each page I go to directly from HN. And not all of my reading -- even related to development/startup things -- is driven by HN.
You can't show Googlebot one thing (the article) and real people another (the paywall) without being penalized and losing your free search traffic. That's why visits referred from Google see the full article. It's not because someone at NYT decided they don't want people from certain sites to become paid customers; if they could paywall Google-referred traffic without losing that traffic they would.
This really sounds like more of a "Astros suck at employee off-boarding" problem. They failed to lock out users of the previous system long after they left the company.
Regardless of their weak password storage scheme (which must be fixed), a simple set of changes (like disabling public access to their system, disabling VPN for terminated users, and changing passwords) would have stopped this from ever occurring.
No this was on-boarded employees using the same passwords at their new job that they had used at the old job. I bet the Cardinals were at least savvy enough to disable Luhnow's old accounts.
One multi-million dollar business franchise gained illegal access to the computer network and private data of another multi-million dollar business franchise. Sounds right up the FBI's alley to me.
This kind of hair-splitting is why the legal definition of "exceeding authorized access" is so general.
There seems to be a very popular misconception that the law criminalizes "hacking", as in "0-day exploits" and "SQL injection". No: thankfully, the law doesn't so much care about how you get access. It cares that you knowingly access things without permission, no matter how you do it.
So by your lights I could make a copy of a key on your key ring, enter your house, take stuff, and that is fine because your locked door is a public endpoint?
Or if the fact that the key is physical gives you pause, let's say you nave a numeric keypad lock, and at work one day you commented that you had it set to the same setting as the lock at work to make it easy for you to remember. Do I get to take your stuff?
It's funny, these arguments weren't top of mind with regards to the hacking charges against weev or Aaron Swartz. In that case, HN was clear fault lay with AT&T or MIT and the abuse of the word "hacking" was a horrible miscarriage of justice.
True. And many, many people had trouble with that decision - many of them members of HN. Just because it's been prosecuted doesn't make the outcome any less right or wrong.
It does make it much less important. Nobody is going to die because the Cardinals know what the Astros think about some high school pitcher. With this and the FIFA thing, it seems as if the FBI is interested mostly in sports. Meanwhile, murderers are on the loose, there has still been no meaningful investigation of the financial shenanigans for which we've all paid, there has been no examination of the FBI's own adventures in illegal surveillance and parallel construction, etc.
It's clear, too, that the Astros' staff brought this on themselves. When one is hired away to a competing organization, start using new passwords! Sheesh.
More then 1200 immigrant workers (essentially slaves) have died building the stadiums for the Qatar World Cup, a World Cup that it seems increasingly likely Qatar only got because of illegal bribes. [1]
FIFA's shenanigans also costs Americans money, in the form of the bribes and backdoor deals the various TV networks have had to pay to get the TV rights, which directly or indirectly consumers end up paying.
I don't know if what the Cardinals did rises to the level of organized crime that FIFA seems to be, but MLB teams are publicly funded (via stadium-building subsidies) companies, and deserve scrutinization just like any other business.
Wow I thought it was weird when the USA was held responsible for not stopping atrocities in sub-Saharan Africa. TIL we're responsible for Qatari workplace conditions. Maybe I should migrate to Canada; this is just too much pressure.
No one would die if Google or Facebook or Apple or, well, 99% of other companies were infiltrated for the theft of highly-valuable corporate secrets. That doesn't make it outside the purview of the FBI.
> Primary incentives embodied in the patent system include incentives to invent in the first place; to disclose the invention once made; to invest the sums necessary to experiment, produce and market the invention; and to design around and improve upon earlier patents.
This is two goals, stated as four:
1. There should be more technology developed under a patent system than otherwise.
2. People should stop keeping their technology secret.
> Main article: History of patent law
> Patents were systematically granted in Venice as of 1450, where they issued a decree by which new and inventive devices had to be communicated to the Republic in order to obtain legal protection against potential infringers.
Goal #2 is the origin of the system, and the only goal that the system directly addresses.
So let's take a common example of a trade secret protected by American law: a company's customer list.
I don't see the argument that businesses wouldn't bother developing customers in the absence of trade secret law. Nor do I see why protecting that information is in the interest of anyone outside that particular company. It's definitely contrary to the interests of the customers.
The Uniform Trade Secrets Act explicitly states that it's intended to protect businesses who believe that their information is nonpatentable:
> "In view of the substantial number of patents that the courts invalidate, many businesses now elect to protect commercially valuable information by relying on the state trade secret protection law."
And hey, for secrets like a customer list those businesses are surely correct. But who cares? Trade secrets are by definition something the business felt was worth the effort of developing regardless of patentability concerns. Any hypothetical benefits to society are, at best, extremely precarious -- that's why we have patent law. Trade secret protections are an undisguised, pointless giveaway, and they undermine the goals of the patent system.
I think there's another angle here, which is that the individual players may have been harmed - with confidential scouting reports or player performance data, the behavior of the Cardinals may have changed towards those players. They may have missed opportunity to advance their careers, or get a better deal, etc.
It's not just about one team spying on another team, there are ripple effects here of people who might have been negatively impacted by the illegal activity of the Cardinals.
I understand you are frustrated in seeing the FBI spent public efforts on sports. However, you say, "it seems as if the FBI is interested mostly in sports" based off 2 stories.
The FBI is a huge organization. They can investigate illegal computer access as well as slavery rings. Their sports investigations are no different than any other corporation.
W/R/T your other objections, regarding financial and surveillance issues, well, it's clear that your opinions differ from those in power. To continue calling for investigation of financial shenanigans is, well, your choice, but it's not something I'm getting upset about. (Not because I don't think it's wrong, but because I don't like getting upset over things I have zero control over.)
re "Astros' staff brought this on themselves": A predictable outcome doesn't make it an acceptable outcome. They should have taken security more seriously, but that doesn't in any way excuse the Cardinals for exploiting them.
See, I disagree. You know how if you're in public you have no reasonable right to privacy?
Well, if your network is open to the public and not properly secured, that's on you. Especially multi-million dollar organizations that can afford to pay security experts.
An unlocked door is not in itself permission to enter a house.
Bad or no security is not in itself permission to enter.
Yes, the Astros do bear some responsibility to make sure things are not easily accessible. That doesn't change the fact that what the Cardinals did was wrong.
Look up lock bumping. I (well, somebody) could be inside your house in 10 seconds if you use a normal lock. I trust you won't be calling the cops when you find your home emptied of all valuables? It's on you, right?
If the argument were valid, it'd be more useful to have your counsel use it in a motion to quash the subpoena for your deposition then for you to use it at your deposition.
> Nobody is going to die because the Cardinals know what the Astros think about some high school pitcher.
We have criminal laws for things besides murder, which would be kind of pointless if we didn't allocate criminal law enforcement resources to things besides murder.
Obviously, at least the player DB was open to the internet. [EDIT: TFA talks about "networks", but not specifically enough to be sure the DB was even on a LAN.] These people weren't hackers. They didn't even use a public hotspot, let alone Tor or one of these no-log VPNs.
This perhaps is another indictment of the Astros' security policies. It certainly should be on the FBI checklist for "should we help these clowns figure out how they got hacked?"
OMG why do people persist in recycling this inane and ridiculous physical analogy? We've heard it about 600 times already, and it doesn't make any more sense the 601st time. A node on the network is not a place, any more than a telephone is a place. If one node sends a message to another node, the receiving node may respond in any fashion, including no response at all. It may be necessary to police this common interaction, but that necessity does not follow from the common human desire for security in one's home.
Analogies aren't mean to be perfect comparisons. That's why they're analogies.
The analogy works well enough, since we're dealing with private property (home, network) concealed by points of entry (doors, windows, nodes). Types of responses and feelings of security, etc are outside the scope of the analogy.
In what sense does a window or a node "conceal" anything? Perhaps you're thinking of curtains and adequately-implemented authentication? If I call a phone number, and the answering machine comes on and tells me some corporate secrets, would you still compare my nefarious conduct to the physical acts of physically entering someone else's home and depriving them of their physical goods?
By the way, it's disingenuous to introduce a scenario (of dubious relevance) that inspires strong feelings and then to deny you intended to evoke those feelings.
We don't know the details, but I think it's safe to say that if the allegations are true, the Cardinals engaged in a form of cheating. It could be that their cheating had very deep and nefarious implications, but I doubt it. If anything, they may have stolen some secrets that gave the Cards an advantage over the Astros in player acquisition strategy.
What I cannot get over is how absurd is it that the Federal Government has been able to insert itself so deeply into a problem that doesn't warrant FBI involvement in the slightest. Athletic teams have been cheating for centuries. Sometimes that cheating involves ruined careers for both the cheater and the cheated, and sometimes they involve teams losing money. But what they rarely involve is the FBI. And the only times I can think of when they have involved law enforcement have been narcotics or gang related.
To me, this sounds no worse than various other advantages that teams unethically gain for themselves. That our legal system allows for this particular type of cheating to potentially be a federal crime is frightening. Let MLB handle this internally, and play ball.
[edit: holy shit. I get it. The FBI is acting within its legal right (and duty). This is a moral statement about the law that they are tasked with enforcing.]
-> Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office.
So it looks like the Astros/MLB were unable to determine internally how their network was compromised and then contacted the FBI. This seems perfectly reasonable to me.
I like that aspect, which is using the FBI's resources to help solve a problem. But, to me, it's fucked up that once you call the FBI, they take over, and often bring absurdly punitive charges with them. We saw this with Aaron Schwartz and Sergey Aleynikov.
Interstate computer fraud and abuse is a federal crime. That the business affected plays some boring game doesn't make it any less of a crime than if they sold sugar water or provided computer services.
One business accessed another's computers without authorization and profited from it, to the other business's detriment (which is now conducting business with paper and pencil). Why does it matter that the businesses are in the entertainment industry like Sony Pictures Entertainment, which also had a recent high profile network security incident?
In all major athletic leagues, this behavior is never treated like a crime. Players have their careers ruined by intentional assaults. Players take illegal substances to enhance performance relative to others. High profile games are won and lost based on violating league rules. These are all forms of cheating that cause material impact on other members of the league. They are never settled by Federal Prosecution. What makes this "hacking" case materially different from those others? Only the fact that the federal government has the right to get involved if a computer is accessed without authorization.
A guy was completely careless with his password, and a competitor used it to steal information. The analogy to "stealing signs" in baseball is almost perfect. In one case, we laugh. In another, the guy goes to federal prison.
You're still saying that a crime shouldn't be a crime just because it happens to be committed in order to cheat at sports. Should I be able to get away with theft if I'm just stealing some other team's sticks and balls to make them play worse?
That's the typical attitude on communities like HN re sports. Even though the computers may contain trade secrets worth millions (for instance, trade discussions), it's worthless because it's a game. However, if their Github was hacked and someone stole the source for their Rails/Bootstrap startup that's an AirBnB for Umbrellas, it'd be the crime of the century.
Chances are that a large amount of what might appear to be "intrastate" internet traffic ends up routed out of state. Does that give the feds jurisdiction? Or would it have to be based on the endpoint computers being in different states?
If I'm not mistaken, I would guess the only reason the FBI is involved is because it's interstate computer crime, which is their jurisdiction. I see what you mean though - if it's just a matter of someone stealing the old GM's password and using it to log in, let's not waste the taxpayer dollars.
I get what you're saying, but I'm actually happy the FBI is getting involved when it's a matter of "hacking" (regardless of the appropriateness of that term) involving a multi-million (billion?) dollar companies.
Or to put it another way, I'd much rather the FBI spent it's time prosecuting crimes committed by large companies than screwing over kids like Aaron Schwartz for their minor indiscretions.
You're thinking of this as if it were two local amateur sports teams, which makes it seem like it's absurd for the FBI to be involved.
Instead, I would look at this as two multi-million dollar businesses engaging in corporate espionage. When seen from that angle, it is exactly the sort of thing the FBI should be involved in.
Should the FBI be involved when the Pats deflate some footballs? That cheat cost some team tens of millions of dollars. I don't think so. I think it's for the NFL to decide.
> Should the FBI be involved when the Pats deflate some footballs?
Is there a federal law that makes doing that a federal crime, and, if so, is there not a federal law enforcement agency besides the FBI that has been designated to exclusively enforce the applicable law?
If yes to both of those, then, sure, there is a good case for the FBI getting involved, because its their job. Otherwise, no, they, shouldn't, because its not.
I think we're on two different wavelengths here. When I say that the FBI shouldn't be involved, I'm not saying that a subordinate should disobey orders to enforce the law. I'm not saying that they are not legally within their right to do so. This is morality. And morality is deeper than blindly obeying legal statutes.
I'm saying that the act of transforming an everyday action into a federal crime just because unauthorized computer access was involved is a horrible, dangerous system for us to have.
The everyday action in this case would be akin to someone breaking into a rival company's headquarters, trespassing, and stealing secrets. Sounds like an action that's worthy of federal criminality to me.
Well the NFL did decide that on their own, because they were able to figure out what happened internally. In this case, the MLB was unable to determine who compromised the Astros' network. So it would be completely appropriate for the MLB to seek out side help. Since, as noted in the article, their assumption was that some hacker penetrated their network, they called the FBI.
Because typically the FBI only investigates crimes where damages are potentially over a million dollars (or cases like kidnapping, murder etc. that cross state lines)
